Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 918444 (CVE-2023-3417) - <mail-client/thunderbird{-bin,}-115.5.0: multiple vulnerabilities
Summary: <mail-client/thunderbird{-bin,}-115.5.0: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2023-3417
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa+]
Keywords:
Depends on:
Blocks: CVE-2023-3600, CVE-2023-37201, CVE-2023-37202, CVE-2023-37207, CVE-2023-37208, CVE-2023-37211, CVE-2023-4045, CVE-2023-4046, CVE-2023-4047, CVE-2023-4048, CVE-2023-4049, CVE-2023-4050, CVE-2023-4051, CVE-2023-4052, CVE-2023-4053, CVE-2023-4054, CVE-2023-4055, CVE-2023-4056, CVE-2023-4057, CVE-2023-4573, CVE-2023-4574, CVE-2023-4575, CVE-2023-4576, CVE-2023-4577, CVE-2023-4578, CVE-2023-4580, CVE-2023-4581, CVE-2023-4582, CVE-2023-4583, CVE-2023-4584, CVE-2023-4585, CVE-2023-5168, CVE-2023-5169, CVE-2023-5171, CVE-2023-5174, CVE-2023-5176, CVE-2023-5721, CVE-2023-5724, CVE-2023-5725, CVE-2023-5726, CVE-2023-5727, CVE-2023-5728, CVE-2023-5730, CVE-2023-5732, CVE-2023-6204, CVE-2023-6205, CVE-2023-6206, CVE-2023-6207, CVE-2023-6208, CVE-2023-6209, CVE-2023-6212
  Show dependency tree
 
Reported: 2023-11-25 03:39 UTC by John Helmert III
Modified: 2024-02-19 06:15 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-25 03:39:11 UTC 
CVE-2023-3417:

Thunderbird allowed the Text Direction Override Unicode Character in filenames. An email attachment could be incorrectly shown as being a document file, while in  fact it was an executable file. Newer versions of Thunderbird will strip the character and show the correct file extension. This vulnerability affects Thunderbird < 115.0.1 and Thunderbird < 102.13.1.

https://www.mozilla.org/security/advisories/mfsa2023-27/
https://www.mozilla.org/security/advisories/mfsa2023-28/

More details also in tracker. Please cleanup remaining affected versions.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-25 03:40:10 UTC 
Oops, wrong tracker..
Comment 2 Larry the Git Cow gentoo-dev 2024-02-19 06:11:05 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=39f2a7a485887d1506cfabc1ac4bee230c06a1e7

commit 39f2a7a485887d1506cfabc1ac4bee230c06a1e7
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-02-19 05:59:01 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-02-19 06:10:22 +0000

    [ GLSA 202402-25 ] Mozilla Thunderbird: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/918444
    Bug: https://bugs.gentoo.org/920508
    Bug: https://bugs.gentoo.org/924845
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202402-25.xml | 129 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 129 insertions(+)